Employee benefits survey



Pre-Phase 2 QuestionnaireInstructions: Every contractor or organization within the QE that will have access to claim line-level CMS data is encouraged to complete this questionnaire at least 2 weeks prior to its QECP Phase 2 (data security) kick-off call. Regardless of whether the claim line-level CMS data an organization will possess will meet HIPAA de-identification standards, CMS requires that all organizations with access to claim line-level CMS data complete a separate QECP Data Security Workbook as part of the QE’s Phase 2 application. Completion of this questionnaire is optional but will ensure a productive technical discussion during the Phase 2 kick-off call.The individual with primary security responsibility at each organization should complete this questionnaire.General QuestionsResponseName of organization completing this form that will have access to Medicare beneficiary identifiable dataName of individual completing this form with primary security responsibility Title of individual completing this formProgram MaturityThe following questions will help the QECP Team determine the maturity of your data security rmation Security Program StructureResponse1We have a dedicated Chief Information OfficerSelect from the drop down menu. 2We have a dedicated Information Security OfficerSelect from the drop down menu. 3We have a dedicated Privacy OfficerSelect from the drop down menu. 4Our SLAs/MOUs are centrally managedSelect from the drop down menu. 5We have detailed Information Security Policies that have been updated within the past 365 days.Select from the drop down menu. 6We have detailed Information Security Procedures that have been updated within the past 365 days.Select from the drop down menu. 7The overall maturity level of our Information Security Program*Select from the drop down menu. *Refer to Appendix A: NIST Security Maturity Levels to answer Question 7.Cloud Service ProvidersThe following questions will help the QECP Team determine if your organization is operating as, or working with, a Cloud Service Provider (CSP). For definitions, refer to Appendix B: Definition of Cloud Computing8. Does your organization operate as a CSP?Select from the drop down menu. [Click here to enter additional information]If yes, upload the following to your organization’s secure QE applicant portal under Element 3A: Evidence of FedRAMP certificationCMS-issued Authority to Operate (ATO)These documents will be reviewed by the QECP Team prior to your Phase 2 kick-off call.9. If applicable, what Cloud Service Model is your organization employing (either internally or by contract)?Select from the drop down menu. [Click here to enter additional information]10. Does your organization host another organization’s data in your data center?Select from the drop down menu. [Click here to enter additional information]11. Does your company have a contract with a CSP? If so, provide the name of the CSP.Select from the drop down menu. [Click here to enter additional information]12. If there is a Business to Business agreement between your organization and the CSP:12a) Indicate the type:Select from the drop down menu. [Click to type your response]12b) Does it include the right to audit?Select from the drop down menu. [Click here to enter additional information]12c) Does it include the right to provide data to third parties?Select from the drop down menu. [Click here to enter additional information]Questions about Phase 2 Review ReadinessThe following questions will help the QECP Team assess your organization’s readiness for the QECP Phase 2 review. 13. Does your organization review and update all data security policy and procedure documents at least once a year (every 365 days)?Select from the drop down menu. [Click here to enter additional information]14. Do all of your organization’s data security policies include sections on purpose, scope, authority, roles and responsibilities, management commitment, dissemination, log reviews, updates, sunset date, and enforceability? (Note: The QECP Team recommends that all QE policies and procedures contain language that matches that listed in the CMS ARS 2.0 dash one (-1) controls at the moderate impact level. Dash one controls are the first controls listed for each of the eighteen security control families listed within QECP Data Security Workbook.)Select from the drop down menu. [Click here to enter additional information]15. Indicate your organization’s compliance readiness for each of the following 18 security families.Security FamilyResponseAdditional Information1AC – Access ControlSelect from the drop down menu.[Click here to enter additional information]2AT – Awareness and TrainingSelect from the drop down menu.[Click here to enter additional information]3AU – Audit and AccountabilitySelect from the drop down menu.[Click here to enter additional information]4CA – Certification, Accreditation and Security AssessmentsSelect from the drop down menu.[Click here to enter additional information]5CM – Configuration ManagementSelect from the drop down menu.[Click here to enter additional information]6CP – Contingency PlanningSelect from the drop down menu.[Click here to enter additional information]7IA – Identification and AuthenticationSelect from the drop down menu.[Click here to enter additional information]8IR – Incident ResponseSelect from the drop down menu.[Click here to enter additional information]9MA – System MaintenanceSelect from the drop down menu.[Click here to enter additional information]10MP – Media ProtectionSelect from the drop down menu.[Click here to enter additional information]11PL – Security PlanningSelect from the drop down menu.[Click here to enter additional information]12PE – Physical EnvironmentSelect from the drop down menu.[Click here to enter additional information]13PS – Personnel SecuritySelect from the drop down menu.[Click here to enter additional information]14RA – Risk AssessmentSelect from the drop down menu.[Click here to enter additional information]15SA – System and Services AcquisitionSelect from the drop down menu.[Click here to enter additional information]16SC – System and CommunicationsSelect from the drop down menu.[Click here to enter additional information]17SI – System and Information IntegritySelect from the drop down menu.[Click here to enter additional information]18 PM – Program ManagementSelect from the drop down menu.[Click here to enter additional information]Appendix A: NIST Security Maturity LevelsFor additional detailed information about each security maturity level listed below, visit: Security Maturity LevelBrief DescriptionLevel 1: PoliciesFormal, up-to-date documented policies stated as "shall" or "will" statements exist and are readily available to employees.Level 2: ProceduresFormal, up-to-date, documented procedures are provided to implement the security controls identified by the defined policies.Level 3: ImplementationProcedures are communicated to individuals who are required to follow them.Level 4: TestTests are routinely conducted to evaluate the adequacy and effectiveness of all implementations.Level 5: IntegrationEffective implementation of IT security controls is second nature.Appendix B: Definition of Cloud ComputingDefinition of “Cloud” Cloud computing is a business model for managing IT infrastructure and assets by: …enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Cloud computing is not a new architecture, new technology, or even a new methodology. By these standards, to be classified as a “cloud-computing” installation, the service/capability must either consider itself a Cloud or meet at least two of the “five essential” characteristics listed below: On-demand self-service. CMS can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick-client platforms (e.g., mobile phones, tablets, laptops, and workstations). Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned, and reassigned according to consumer demand. Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.If your organization meets all five characteristics of a CSP, please visit for more on how to become FedRAMP Certified.CMS can obtain cloud computing services from a Cloud Service Provider (CSP) using three recognized service model arrangements: Software as a Service (SaaS). The computing capability uses a service provider’s applications running on a cloud infrastructure, where CMS would have no control over the infrastructure, network, servers, or operating system used to deliver the software. Platform as a Service (PaaS). CMS can deploy and control software and applications onto the CSP’s computing platform using the programming languages, libraries, services, and tools supported by the CSP. In this instance, CMS does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and configuration settings for the application hosting environment. Infrastructure as a Service (IaaS). CMS can provision processing, storage, networks, and other fundamental computing resources as necessary to deploy and run any software, which can include operating systems and applications. CMS would not manage or control the underlying cloud infrastructure, but would have control over operating systems, storage, and deployed applications and some limited control of select networking components.A cloud service provider implementation must have an approved Federal Risk and Authorization Management Program (FedRAMP) ATO (i.e., FedRAMP Use Case18), Provisional ATO, or an Agency ATO. A FedRAMP authorization will meet the evidence requirement for the baseline controls identified as “for CSP only” in the Data Security Workbook.The QE must verify the CSP meets additional CMS and HHS security, monitoring, and reporting requirements prior to selecting a cloud service. Please see the CMS Information Security Acceptable Risk Safeguards (ARS) in the Toolkit. If the CSP cannot/will not respond to the “For CSP Only” labelled controls in the Data Security Workbook, someone from the lead entity or appropriate data partner must complete those responses. Refer to your organization’s FedRAMP certification for those compliance descriptions. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download